A computer network typically incorporates security functionality to protect the computers of the network against malware and other malicious activity. Malware authors and threat intelligence researchers are constantly in a repeated cycle of obfuscation and detection, respectively. Malware is often executed and analyzed in a sandbox environment by threat intelligence researchers. Malware samples may be applied to a sandbox that are of an unknown classification. Signatures that are available at the date of ingestion fail to properly identify the malware based on a static identification. New families of unknown malware can be ingested that do not match a known signature for network traffic analysis or static analysis. Thus, the malware was written in such a way as to obfuscate its true purpose and avoid anti-virus signatures and heuristics. Changing the obfuscation techniques is often more trivial than changing the communications protocols, because the malware controller and the malware itself have to be modified and tested. Malware is commonly obfuscated specifically to hide these indicator signs in the computer code that facilities communications over a network.
A need therefore exists for techniques for retroactively identifying malware programs when new signatures become available that later match network traffic previously obtained from the sandbox environment.